FULLY APPLICABLE since 17 Jan 2025

DORA — Digital Operational Resilience Act

22,000 EU financial entities. Five pillars. Already binding.

Regulation (EU) 2022/2554 has been fully applicable since 17 January 2025. ICT risk management, incident reporting, resilience testing, third-party risk, information sharing. Five pillars, no grace period left. We ship the evidence pack.

MIT free

DORA-NIS2 Crosswalk MCP

meok-dora-nis2-crosswalk-mcp on PyPI. Map DORA → NIS2 → ISO 27001 → SOC 2.

£399/mo

Article 17 Incident Logs

Continuous decision-trace logging + incident classification per Article 17 RTS.

£4,950

Audit-Prep Bundle

14-day delivered: DORA + NIS2 + EU AI Act + EU CRA evidence pack.

£950/day

TLPT Scoping Support

Threat-led penetration test scoping per Article 26 + RTS on TLPT.

The five DORA pillars

Pillar 1 — ICT risk management framework

Articles 5-16

Governance, identification, protection, detection, response, recovery, learning + evolving.

Pillar 2 — ICT-related incident reporting

Articles 17-23

Classification, major-incident notification within hours/days to competent authority.

Pillar 3 — Digital operational resilience testing

Articles 24-27

Annual testing programme + TLPT every 3 years for significant entities.

Pillar 4 — ICT third-party risk management

Articles 28-44

Pillar 5 — Information sharing arrangements

Article 45

Voluntary intelligence-sharing among financial entities (cyber threat intel).

Country-specific kits

🇧🇪 Belgium (FSMA)

£1,499

Late-fee recovery template + signed evidence pack for Belgian financial entities behind on DORA.

More country kits in production: France (ACPR), Germany (BaFin), Italy (Banca d'Italia), Netherlands (DNB), Ireland (Central Bank). Request priority →

Frequently asked

Who's in DORA scope?

Article 2 covers ~22,000 financial entities in the EU: credit institutions (banks), payment institutions, e-money institutions, investment firms, MiFID II investment-services firms, central counterparties (CCPs), trade repositories, central securities depositories (CSDs), trading venues, alternative investment fund managers (AIFMs), UCITS management companies, data reporting service providers, insurance + reinsurance undertakings, intermediaries, IORPs, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, account information service providers, plus crypto-asset service providers (CASPs) under MiCA. Critical ICT third-party service providers (CTPPs) are designated by the European Supervisory Authorities (ESAs) and are subject to a direct oversight framework.

What does DORA actually require?

Five pillars: (1) ICT risk management framework — governance, identification, protection, detection, response, recovery, learning + evolving (Articles 5-16). (2) ICT-related incident reporting — classification, major-incident notification within hours/days to competent authority (Articles 17-23). (3) Digital operational resilience testing — annual testing programme + threat-led penetration testing every 3 years for significant entities (Articles 24-27). (4) ICT third-party risk management — register, contractual safeguards, oversight of CTPPs (Articles 28-44). (5) Information sharing arrangements (Article 45).

What's threat-led penetration testing (TLPT)?

Article 26 + Article 27 + RTS on TLPT — every 3 years (or as required by competent authority) significant entities + critical undertakings must run a Threat-Led Penetration Test based on the TIBER-EU framework adapted for DORA. Real-world threat-actor TTPs, scoped against critical or important functions, executed by ESAs-approved testers, results shared with the entity's competent authority.

How does DORA stack with NIS2?

Lex specialis. Where DORA applies (financial entities), DORA prevails over NIS2. Financial entities subject to DORA are removed from NIS2 essential-entity scope for ICT requirements. BUT NIS2 still applies to non-financial functions (HR systems, marketing, etc.) where DORA-scope is narrower. Practical: financial entity = DORA primary, NIS2 carve-out, GDPR always.

What's the penalty?

DORA fines vary by member state transposition (DORA is a Regulation but enforcement is via national supervisors). Typical ceilings: up to 2% of total annual global turnover, or up to 1% daily of total annual worldwide turnover during the duration of the breach for repeat offences. CTPPs face their own penalty regime under Article 35 — up to 1% of daily worldwide turnover during non-compliance period.

How does MEOK help?

meok-dora-nis2-crosswalk-mcp (MIT) maps DORA controls to NIS2 + ISO 27001 + SOC 2 to prevent duplicate work. /transparency (£399/mo) covers Article 17 incident-classification logging. /audit-prep-bundle (£4,950) wraps DORA-NIS2 + EU AI Act + EU CRA in 14-day signed evidence pack. /consulting (£950/day) for TLPT scoping support.